An administrator with access to Varnish configuration settings and the design configuration can trigger remote code execution through PHP object instantiation.

Product(s) Affected:

Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7

Fixed In:

Magento 2.1.16, Magento 2.2.7, Magento 2.3.0

Reporter:

convenient

PRODSECBUG-2160: Unauthorized File Upload via Customer Attributes

Type:

Remote Code Execution (RCE)

CVSSv3 Severity:

9.0

Known Attacks:

none

Description:

Product(s) Affected:

Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7

Fixed In:

Magento 2.1.16, Magento 2.2.7, Magento 2.3.0

Reporter:

mpchadwick

PRODSECBUG-2151: Remote Code Execution through Path Traversal

Type:

Remote Code Execution (RCE)

CVSSv3 Severity:

8.8

Known Attacks:

none

Description:

Administrators with limited privileges can upload an unauthorized template using the path traversal capability. Although most forms do not authorize this type of upload, an attacker could create a product with a file custom options that accepts an unauthorized template file.

Product(s) Affected:

Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7

Fixed In:

Magento 2.1.16, Magento 2.2.7, Magento 2.3.0

Reporter:

Blaklis_

PRODSECBUG-2154: Remote Code Execution through the Admin

Type:

Remote Code Execution (RCE)

CVSSv3 Severity:

8.5

Known Attacks:

none

Description:

A user can upload unauthorized files while creating a downloadable product.

Certain template directives permit users to write dynamic content. A malicious user could use special characters in this content to circumvent the CSS directive that allows the CSS file to be loaded directly to the body of the content. In turn, this permits content to be uploaded to various directories.